-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4783
                          libyang security update
                             23 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libyang
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 8
                   Red Hat Enterprise Linux WS/Desktop 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-19334 CVE-2019-19333 

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:4360

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Red Hat. It is recommended that administrators
         running libyang check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: libyang security update
Advisory ID:       RHSA-2019:4360-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4360
Issue date:        2019-12-23
CVE Names:         CVE-2019-19333 CVE-2019-19334 
=====================================================================

1. Summary:

An update for libyang is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The libyang package provides a library for YANG data modeling language.
libyang is a YANG data modelling language parser and toolkit written (and
providing API) in C. The library is used e.g. in libnetconf2, Netopeer2,
sysrepo and FRRouting projects.

Security Fix(es):

* libyang: stack-based buffer overflow in make_canonical when bits leaf
type is used (CVE-2019-19333)

* libyang: stack-based buffer overflow in make_canonical when identityref
leaf type is used (CVE-2019-19334)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

IMPORTANT:

The libyang-devel sub-package has recently been removed from the AppStream
repository. If you have previously installed libyang-devel, remove it prior
to applying this advisory to make the update successful.

4. Solution:

If you have previously installed libyang-devel, remove it prior to applying
this advisory to make the update successful.

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1779573 - CVE-2019-19333 libyang: stack-based buffer overflow in make_canonical when bits leaf type is used
1779576 - CVE-2019-19334 libyang: stack-based buffer overflow in make_canonical when identityref leaf type is used

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
libyang-0.16.105-3.el8_1.2.src.rpm

aarch64:
libyang-0.16.105-3.el8_1.2.aarch64.rpm
libyang-cpp-debuginfo-0.16.105-3.el8_1.2.aarch64.rpm
libyang-debuginfo-0.16.105-3.el8_1.2.aarch64.rpm
libyang-debugsource-0.16.105-3.el8_1.2.aarch64.rpm
python3-libyang-debuginfo-0.16.105-3.el8_1.2.aarch64.rpm

ppc64le:
libyang-0.16.105-3.el8_1.2.ppc64le.rpm
libyang-cpp-debuginfo-0.16.105-3.el8_1.2.ppc64le.rpm
libyang-debuginfo-0.16.105-3.el8_1.2.ppc64le.rpm
libyang-debugsource-0.16.105-3.el8_1.2.ppc64le.rpm
python3-libyang-debuginfo-0.16.105-3.el8_1.2.ppc64le.rpm

s390x:
libyang-0.16.105-3.el8_1.2.s390x.rpm
libyang-cpp-debuginfo-0.16.105-3.el8_1.2.s390x.rpm
libyang-debuginfo-0.16.105-3.el8_1.2.s390x.rpm
libyang-debugsource-0.16.105-3.el8_1.2.s390x.rpm
python3-libyang-debuginfo-0.16.105-3.el8_1.2.s390x.rpm

x86_64:
libyang-0.16.105-3.el8_1.2.i686.rpm
libyang-0.16.105-3.el8_1.2.x86_64.rpm
libyang-cpp-debuginfo-0.16.105-3.el8_1.2.i686.rpm
libyang-cpp-debuginfo-0.16.105-3.el8_1.2.x86_64.rpm
libyang-debuginfo-0.16.105-3.el8_1.2.i686.rpm
libyang-debuginfo-0.16.105-3.el8_1.2.x86_64.rpm
libyang-debugsource-0.16.105-3.el8_1.2.i686.rpm
libyang-debugsource-0.16.105-3.el8_1.2.x86_64.rpm
python3-libyang-debuginfo-0.16.105-3.el8_1.2.i686.rpm
python3-libyang-debuginfo-0.16.105-3.el8_1.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-19333
https://access.redhat.com/security/cve/CVE-2019-19334
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXgA7EtzjgjWX9erEAQj7KBAAjEUWsYnU3jHCJQFV8Uxwc/GqKDQBJG1z
eA3NrdDTA639M9CCCRnorfgErKpmlU8qJahmyuUm2VdazfmC95K/ZOce/BdD3FxO
b/aRvjRG/fmMuiFC1bbg5KGRq27ZAyIZrRCTi1bHqbuVULufZUBX2mUxd5cR4L2m
/tfq86ckNeA6x9fZ9YotztOrTgJL7D4Ujxe6VE//BflFI4f7ouwQyLP556Q3vHI3
+litpxcY9yuWuKcblvC6Jm6W/7rluzVUd8d7l9/FI5bJdIinO57g6hrO3mbEUmgn
YeoFfjs+HI+kWTniZqJC+CUEBhY3Z3V+dKh2eiwKAEcerh8bi1CtXkTgoomJzef6
fU1A0arfPCNApyYTWGAMenHJvbZMASbwOw4YQoioN/m5C1Y6EGFs/JVx2Cg+MGCE
zTD6xGwi9Fhj2k1K5r70l/OtJpxLT3Hs5oGqlnu3BTLyIX4nNleVLgHPeScAttXf
mnE+/Mebm462qg/H/MiShxqevOg+ioieRwO3Z+PnzmYUqfBYx2Jc8l4282zhhFJy
hJNLU9s49TAdQgLIBoa3thPLgxeaQM+NhHpOsI6AD31JEKCPNWLZoC7hqsQeZbKs
ETP0upGdGvo0xrByp0JDVu6H/FoY6UL1087TfcUQX+blTKawNRZaZB+OVqDlvM7k
n2AioaFDJb4=
=cgM6
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXgBGZ2aOgq3Tt24GAQhRoRAAmJ4Pv9UJg+tzwrC8Kccx7yw5G5qNSgNX
qZtPbri7Cz7rfZYrf/QVURjgWGbOQyvHyXlzd54tN0daBMolH75nTI+usmLq90+8
qI0rcS46DlxVZ5R2OZRftJc6b4EQzzL8vlwveE/6dxtTYseRS/DuxKQnr0hIvkOK
3A7WdHlNxiel9LsZV0iMpXTxxYhZRShaeY7+HxfjNqfCkUDJGq1v7MSIZeDtwoy+
4P1aJrY0+EghVqbrK+YUlrLlMGbfnNfBnYty0uZ68Tgt6pDoMtgXyV9HCToRBRq7
GYYQiaxr9Ufqv/i966dvYerVFWagRjGZ085k1m4AW19Ue7P9JAGTEcFO7nxrXdEx
uPulMkXKe3xKBt3BwF9lGf4PKraL+xF3EjJJF4CZ6jdoB5mRsaSEeQLMKRLq03LK
SUQryzPpgcw4dW197+6ACRGSwvfg97t8cPYWxhYxBpbvR0bseiL04j5vkJRBoNEn
G6BU6qQFengOQ6i3p7NURTvPpxZk7LZn8/kjs0rPufjKgpFCPfEXaf9BTXiwTq9M
k0ilxLr96ZlyoBMl95qGpK9/A8CYBJKkTmJYx0JOfDK36XAGEEKo2Qd+TQiupc09
npAV0Qis63910YaTIajf/bZaElBpaxq7UpqMmmaSWBIwCoTWpx7t4e0rnEjW/XTH
/Gw8Mng4Iw0=
=9kT1
-----END PGP SIGNATURE-----